How we hacked Slack
If you don’t know it yet, Seald is a tool that allows users to encrypt messages and files on any platform, including Slack, which is an awesome chat app for teams.
Since we launched the beta of Seald a few months back, a feedback we would get very often from our Slack-addicted users was that they’d love to be able to use Seald directly from inside the Slack desktop app, instead of having to go to the web version of Slack on Chrome. We loved the idea, being Slack users ourselves. Plus, Seald would go great with Slack: we believe that making communications more efficient, and making them more secure, should go hand in hand.
However, the Slack app does not support client-side extensions, which are necessary for implementing end-to-end encryption: if there is no way to have your code running on the user’s device, there is obviously no way the user’s device can encrypt/decrypt the data. As this was a feature our users were asking for, we started to look into ways it could be done. Of course, we tried contacting the Slack team directly. Multiple times. They never answered.
So, we took matters into our own hands, and started to look at their app to see how it could be done anyway. As a matter of fact, this was just around the time Slack released a new version of its app, based on the Electron framework. Electron is a great tool, built by the Github team, that basically packages a Node.JS instance with a simplified Chrome-based browser, to be able to build desktop apps using web technologies.
The thing is, Electron is a technology we know extremely well, as Seald itself is built with Electron. And how Electron-based apps work is that they have a “.asar” file, basically an archive (think ZIP-like file) containing all the code that has to be run. So, what we tried to do to see if we could get our own code to run was basically open the archive, modify a bit of code manually, and start the Slack app again. To our own surprise, it worked perfectly: we had a way of building a Slack plugin. As I said, Electron is based on Chrome. So what we did then was basically take the code of our Chrome extension, inject it in the Slack app, and it just worked. After a bit more of packaging work, to transform the manual patching process into a one-click action in our app, that was it: we had a fully functioning Seald plugin for the Slack app. The first client-side plugin for Slack ever.
Obviously, this is not a hack per se. We have not broken into Slack’s servers. We have not stolen any user data. We have not done anything more than being smart about how to use the tools at our disposal, and working around the problem. However, some people were quite unpleased about this… But that’s a story for another day :)
In the meantime, you can try Seald ;)
